Akamai Warns of Account Takeovers Staged from Cameras, Routers

A long-known weakness in an authentication protocol shipped in millions of routers, surveillance devices and satellite antennas is being used in attempts to compromise accounts at popular web services, according to new research from Akamai.

Akamai, which offers content delivery network services, says the equipment is being used as relays for "credential stuffing" attacks, where breached logins and passwords are used in an attempt to take over accounts. The IoT devices effectively act as proxies, masking the IP addresses from where the attacks actually originate.

The networking vendor cautioned that the technique is not a new vulnerability or attack, but that it has seen a dramatic rise in strikes against its customers.

"While this has been reported before, the vulnerability has resurfaced with the increase of connected devices," Akamai says in a 10-page technical report. "Our team is currently working with the most prevalent device vendors on a proposed plan of mitigation."

Although experts have warned that the increasing connectivity incorporated into devices will pose new security risks, the last couple of months have proved their predictions true. IoT devices are often poorly secured, ship with default login credentials and are never updated by manufacturers, making them more attractive targets than PCs, which are generally more secure.

SSHowDowN

The situation described by Akamai doesn't involve DDoS attacks. The company began investigating a network video recorder that was sending suspicious traffic to its customers.

The device shipped with default passwords, which made it easy for attackers to take it over. Although users are encouraged to change default passwords, they're often left in place for as long as the devices lives.

Many IoT devices ship with OpenSSH, known as Secure Shell, which is a protocol that allows remote login. This particular DVR wouldn't allow someone to gain access to SSH using the default credentials. But the SSH configuration does allow someone to use the device as a proxy and forward their attack traffic through the IoT device to another service.

This authentication bypass vulnerability, which can allow for what's called "port bouncing attack," has been known for at least 12 years. Although some devices can be fixed to eliminate the vulnerability, other IoT devices can't be fixed, writes Eric Kobrin, who is director of adversarial resistance at Akamai. The company nicknamed the attack SSHowDowN.

Some of the attack traffic came from routers made by Ruckus Wireless, which is now owned by Brocade Communications Systems. Ruckus issued an advisory and a patch in 2013.

"It was discovered that a malicious user could abuse the TCP tunneling feature of the SSH daemon on Ruckus devices to proxy random TCP streams," the advisory reads. "The user does not have to be authenticated to the Ruckus device for requesting and establishing such a tunnel. Once a tunnel is established, the user's TCP stream would be carried over SSH to the Ruckus device, which would forward the traffic to an IP and port of the user's choosing."

IoT Security Standards

Compromising IoT devices offers a layer of security for hackers. The services experiencing the attack see the IP address of the hacked device in their logs. The owner of the IoT unit invariably has no idea about the abuse.

ISPs can also detect attack traffic and alert customers whom they think may have an infected device on their network. But IoT devices, particularly older ones, may no longer be supported by manufacturers and receive no security updates. Users plug in the devices, and as long as they're functioning, forget them.

Efforts are underway to ensure that future generations of devices can't be compromised so easily. The Open Connectivity Foundation has developed a security framework that is designed to allow IoT devices to communicate securely. The group is aiming to develop standards as well as a certification program that can be used across the industry.

And there is a sense of urgency: Gartner predicts that by 2020, some 20.8 billion IoT devices will be in use, up from about 6.4 billion this year, adding to a massive pool of already insecure devices - which could cause headaches for years to come.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.in, you agree to our use of cookies.